[00:01.400 --> 00:07.020]  Can you guys hear me very well? Is there any kind of echo or background noise?
[00:07.020 --> 00:08.500]  Or is that just fine?
[00:08.820 --> 00:11.040]  Just give me a heart if it is okay.
[00:12.520 --> 00:14.840]  Okay, cool. Thank you.
[00:18.140 --> 00:20.540]  Once again, hello everyone.
[00:20.740 --> 00:22.500]  My name is Abhijit.
[00:22.540 --> 00:26.580]  And I am also known by the pseudonym ABX.
[00:26.580 --> 00:32.580]  I belong to Defcon Group Trivandrum, aka DC0471.
[00:32.960 --> 00:36.000]  I am very glad to be here today.
[00:36.460 --> 00:39.020]  It is a pleasure to be here.
[00:39.020 --> 00:43.440]  And I really appreciate the keynote of Jason.
[00:43.440 --> 00:45.080]  That was really wonderful.
[00:45.080 --> 00:48.420]  That was a really impressive keynote.
[00:48.900 --> 00:55.760]  And along with me, I have a couple of team members from Defcon Group Trivandrum today.
[00:55.760 --> 01:08.720]  We have my Defcon Trivandrum teammates, Aditya, Srihari, Taufik, Alex, Praveen, Vishnu, and Plucky, along with Alex.
[01:08.720 --> 01:11.360]  And we are all happy to be here.
[01:11.360 --> 01:16.120]  Once again, it is a privilege to be here in this village.
[01:16.440 --> 01:18.060]  Moving on to the next slide.
[01:23.220 --> 01:25.100]  Next slide, please.
[01:38.460 --> 01:40.340]  Give me a second, guys. Give me a second.
[01:40.340 --> 01:44.340]  Let me drop the mic here.
[01:52.080 --> 01:53.280]  One second.
[02:16.030 --> 02:18.610]  Sorry, guys. I am pretty new to this platform.
[02:18.610 --> 02:19.650]  Give me a second.
[02:31.530 --> 02:33.690]  Could you please help me with this mic?
[02:33.690 --> 02:37.350]  I just need to drop this mic and speak in loudspeaker.
[02:37.350 --> 02:38.730]  Could anyone help me, please?
[02:39.150 --> 02:39.850]  TX?
[02:39.850 --> 02:45.770]  You have to hold your left mouse button for a while and you can just throw the mic away.
[02:46.130 --> 02:48.030]  What? Left what? Left shift key?
[02:48.070 --> 02:49.590]  The mouse button, right?
[02:49.790 --> 02:51.910]  Yeah, the left mouse button.
[02:52.410 --> 02:53.530]  That's how you do it.
[02:53.530 --> 02:54.190]  Okay.
[03:09.190 --> 03:09.970]  Cool.
[03:11.170 --> 03:13.630]  Okay, sorry again for the trouble, guys.
[03:14.270 --> 03:16.710]  I am really new to this platform.
[03:16.990 --> 03:19.870]  Okay, once again, going back to the slide.
[03:19.870 --> 03:24.210]  We manage the Defcon Group Trivandrum, which is in India.
[03:24.390 --> 03:30.970]  Our location is Trivandrum, which is a very small city in India.
[03:31.550 --> 03:38.130]  So, we have started our Defcon Group in January 2018.
[03:38.590 --> 03:47.670]  We have organized a couple of hacker meetups and conferences during the past events with multiple tracks and CTFs.
[03:47.670 --> 03:52.770]  We have more than 15 organizing team members, which are hardcore team members.
[03:52.770 --> 03:57.570]  This is like a brotherhood for me and everyone in my group.
[03:58.850 --> 04:05.930]  We are also hosting a hacking podcast in Malayalam language, which is our native language.
[04:05.930 --> 04:09.130]  You could view that URL in there.
[04:09.210 --> 04:13.730]  It is kind of interviewing local hackers and cybersecurity professionals.
[04:13.730 --> 04:17.410]  We also connect regularly.
[04:39.370 --> 04:41.630]  Move to the next slide, please.
[04:45.180 --> 04:49.580]  Here are some of the photos of some of our events.
[04:49.580 --> 04:55.480]  We had the opportunity to have a good set of speakers in our previous meetups.
[04:57.720 --> 05:02.460]  I think that is it about our Defcon Group Trivandrum.
[05:02.460 --> 05:06.400]  I think we can go to the technical presentation now.
[05:06.880 --> 05:08.460]  Please move to the next slide.
[05:16.800 --> 05:23.320]  As you can see, the title of my talk would be building an internal Red Team for your organization.
[05:23.320 --> 05:29.220]  It is like building a practical Red Team within your organization.
[05:33.050 --> 05:34.630]  Next slide, please.
[05:34.630 --> 05:41.890]  As I have mentioned, my name is Abhijit.
[05:42.630 --> 05:48.570]  And I'm also known by the pseudonym ABX.
[05:48.750 --> 05:53.990]  I'm leading OpenSea security operations in a global financial technology company.
[05:54.310 --> 05:59.550]  I'm also the former deputy manager for cybersecurity in Nissan Motors.
[05:59.930 --> 06:04.050]  Prior to that, I used to work for EY as a senior security analyst.
[06:04.050 --> 06:09.210]  I have nearly 10 years of experience in the security domain.
[06:09.290 --> 06:14.950]  I'm also the founder of a community called teamvillage.org.
[06:14.950 --> 06:18.870]  And no, it is not associated with Defcon Villages.
[06:19.130 --> 06:24.230]  Like I mentioned earlier, I'm also the leader of the Defcon Trivandrum community.
[06:24.230 --> 06:29.590]  Recently, I started running a blog called tacticaladversary.io,
[06:29.590 --> 06:34.030]  which is a blog dedicated to adversarial simulation and Red Teaming tactics.
[06:34.170 --> 06:39.270]  It is still a work in progress. I'm still working on it, you know, just to get things started.
[06:40.190 --> 06:42.030]  Moving to the next slide.
[06:44.780 --> 06:47.740]  Let's make some things clear first.
[06:47.740 --> 06:53.900]  I don't really want to, you know, do an intro about vulnerability assessment, pen test or Red Teaming.
[06:53.900 --> 07:00.820]  But I just want to make some statements before we go further into the slides.
[07:01.320 --> 07:03.340]  Moving on to the next slide.
[07:09.230 --> 07:13.830]  This is just a statement. I think you can see the slide. Yeah, yeah.
[07:13.830 --> 07:18.450]  This is just a statement. Vulnerability assessment, it is not Red Teaming.
[07:19.890 --> 07:26.270]  Like, you know, also vulnerability assessment, it is not penetration testing as well.
[07:26.270 --> 07:29.890]  So we all know, like, what is vulnerability assessment.
[07:29.930 --> 07:40.030]  It is about targeting a system, an application or a network just to identify the list of vulnerabilities.
[07:40.030 --> 07:43.530]  Like, you know, what are the known weaknesses in that system?
[07:43.530 --> 07:53.130]  List them down along with the remediation plan and hand it over to the appropriate teams so that they can get it fixed.
[07:53.130 --> 07:54.970]  So that is called vulnerability assessment.
[07:54.970 --> 07:58.950]  It is not Red Teaming. I will go to the next slide.
[08:00.250 --> 08:04.510]  Again, penetration testing, it is also not Red Teaming.
[08:05.830 --> 08:13.370]  But pen testing, on the other hand, compared to VA, it is more focused towards the goal.
[08:17.250 --> 08:19.650]  Maybe... could you please go to the next slide?
[08:19.690 --> 08:21.310]  Oh, OK. This is fine. This is fine.
[08:21.310 --> 08:26.190]  OK. Maybe we are targeting an application or infrastructure.
[08:26.190 --> 08:31.250]  Our only goal would be compromising that system and get into it.
[08:31.670 --> 08:36.790]  The pen testing report also reflects the same, rather than listing all vulnerabilities.
[08:37.630 --> 08:39.550]  We are facing a problem now, right?
[08:39.550 --> 08:45.510]  You know, nowadays we cannot differentiate between vulnerability assessment and pen testing reports.
[08:45.510 --> 08:56.130]  A pen testing report may list all vulnerabilities in the target system instead of the exportation and how the attacker got into the system.
[08:57.770 --> 09:03.630]  For my day job, I used to see external pen testing reports with SSL issues only.
[09:03.630 --> 09:05.810]  Just imagine that. Just think about it.
[09:05.810 --> 09:15.350]  I used to see penetration testing reports from external vendors which are having SSL issues in a pen testing report.
[09:15.350 --> 09:16.830]  That is really weird.
[09:17.950 --> 09:19.950]  It is kind of confusing now, you know.
[09:19.950 --> 09:22.950]  If anyone here is also feeling the same, just let me know.
[09:22.950 --> 09:27.090]  Like, you know, the confusion between the vulnerability assessment and pen testing.
[09:27.090 --> 09:30.210]  We are seeing it in our day-to-day life, you know.
[09:30.210 --> 09:35.870]  These vendors, these professionals, they are giving us the VA and pen testing reports, you know.
[09:36.250 --> 09:38.610]  It is kind of very confusing.
[09:39.410 --> 09:50.460]  We are not blind here, but I am getting muted sometimes.
[09:50.460 --> 09:51.460]  I don't know why.
[09:53.860 --> 09:59.820]  Okay, as the last statement, I also want to mention that pen testing is not routine.
[10:00.260 --> 10:03.660]  I'll come to this point later, later in the presentation.
[10:04.600 --> 10:07.980]  Can we go to the next slide?
[10:16.120 --> 10:17.180]  Okay.
[10:17.180 --> 10:23.580]  So, like, you know, most of us know the meaning of RETeam or what is RETeam, right?
[10:24.020 --> 10:28.000]  We have a cool definition from RETeams.net here.
[10:28.540 --> 10:37.280]  Historically, RETeam, the term RETeam, it originates from the military terms which would be imitating the role of adversaries.
[10:37.420 --> 10:41.320]  They will try to mimic the attacks against the military base.
[10:41.660 --> 10:48.880]  That is the explanation about RETeaming.
[10:48.920 --> 10:50.640]  Could you please go to the next slide?
[10:50.640 --> 10:54.720]  We have a much simpler explanation in here.
[10:54.780 --> 10:59.600]  This is a much simpler and easy to use explanation.
[11:01.770 --> 11:05.280]  This is also from RETeams.net.
[11:05.930 --> 11:14.190]  A RETeam is a group of highly skilled people that continuously challenge the plans, defensive measures, and security concepts.
[11:14.190 --> 11:16.650]  That is pretty clear, right?
[11:16.650 --> 11:20.110]  This is actually called adversarial attack simulation.
[11:20.110 --> 11:22.370]  That is what we are doing nowadays.
[11:22.630 --> 11:25.190]  I will come to the next slide.
[11:28.730 --> 11:30.520]  Is it the next slide yet?
[11:31.250 --> 11:32.610]  Yes, it is.
[11:34.070 --> 11:37.010]  Let me talk about a confusion here.
[11:42.270 --> 11:50.330]  I have seen these comments with the sales people and usually the security services executives.
[11:50.330 --> 11:52.470]  I am not mocking anyone here.
[11:52.470 --> 11:57.810]  It is also very sad that many people are seeing RETeams as penetration testers.
[11:57.810 --> 12:00.970]  They will be saying, like, you know, I am a part of internal RETeam.
[12:01.050 --> 12:03.630]  But I will ask, like, what are you doing then?
[12:03.630 --> 12:05.750]  I am doing penetration testing.
[12:05.750 --> 12:08.190]  I am doing web application penetration testing.
[12:08.190 --> 12:11.890]  I am doing application security.
[12:11.890 --> 12:14.010]  But I am a part of internal RETeam.
[12:14.010 --> 12:16.510]  But it is kind of confusing.
[12:16.510 --> 12:21.770]  It is also very sad that, you know, these people are seeing RETeams as penetration testers.
[12:22.330 --> 12:28.930]  To explain the actual job, along with the RETeam professional, I mean, along with the RETeam professional,
[12:28.930 --> 12:34.690]  many security folks are nowadays using the term adversarial attack simulation as well.
[12:39.910 --> 12:44.190]  I have recently seen a couple of similar job titles in LinkedIn.
[12:44.190 --> 12:52.710]  Instead of mentioning a RETeam professional, they are listing their profile as adversarial attack simulation professional.
[12:52.710 --> 12:57.870]  Or, you know, like operator as adversarial attack simulation.
[12:57.870 --> 12:58.630]  Something like that.
[12:58.630 --> 13:03.190]  Just to be more clear, other than, you know, confusing, using confusing terms.
[13:04.890 --> 13:06.570]  Next slide, please.
[13:13.490 --> 13:15.910]  So, everyone, how is this picture?
[13:15.910 --> 13:17.070]  Do you like this picture?
[13:18.530 --> 13:22.790]  Could you guys please give me hearts or claps if you like this picture?
[13:23.430 --> 13:26.570]  I am not getting hearts from everyone, I think.
[13:27.850 --> 13:29.270]  Yeah, now I do.
[13:29.270 --> 13:33.330]  Actually, you know, I really wanted to show off this picture.
[13:33.330 --> 13:37.930]  You know, the perfect symphony between the attackers and the defenders.
[13:38.690 --> 13:46.090]  It was created based on the native Kerala martial art, which is called Kalaripayattu.
[13:46.090 --> 13:50.510]  That is the traditional martial art form of our native place.
[13:50.710 --> 13:53.730]  So, based on that, we created this picture.
[13:54.450 --> 14:03.150]  You know, it was designed for a CTF competition at a conference called COCON, which is one of the biggest cyber security conference in India.
[14:03.310 --> 14:06.430]  So, I really wanted to show you guys this picture.
[14:06.910 --> 14:09.510]  I think you guys really like it, right?
[14:09.510 --> 14:15.870]  You know, the actual symphony between RETeams and Blue Teams, based on our native martial art form.
[14:16.090 --> 14:19.090]  That was kind of a show off. Thank you.
[14:19.810 --> 14:22.370]  Moving on to the next slide.
[14:26.850 --> 14:35.050]  So, most of the things mentioned here, that is from my own experience, are the awesome contributors of the security community.
[14:35.510 --> 14:43.910]  Most of the companies, they already have their own application security and internal pen testing teams.
[14:43.910 --> 14:51.810]  So, what if they want to move a more matured attack simulation activities?
[14:51.810 --> 15:03.250]  You know, they are doing fine with AppSec and internal pen test, but they also want to move into a more matured attack simulation team.
[15:03.250 --> 15:14.570]  So, I really think this talk will be helpful for such people who want to build an offensive internal team for adversarial attack simulation.
[15:14.670 --> 15:19.870]  We are targeting that kind of audience here. I mean, the target audience.
[15:24.280 --> 15:26.080]  Next slide, please.
[15:32.790 --> 15:36.470]  Okay, I think you can see this picture.
[15:36.470 --> 15:42.770]  So, we have created this diagram for one of our assignments.
[15:43.150 --> 15:49.250]  Internal Red Team Operations Framework. That is still a work in progress. We are still working on this.
[15:50.150 --> 15:57.730]  We have split it into five different phases. Internal Red Team Operations Framework into five different phases.
[15:57.990 --> 16:05.190]  Each framework will be having its own models and its own concepts.
[16:05.190 --> 16:14.810]  So, based on that, we can start from the scratch and get into more mature level Red Teams, Internal Red Teams.
[16:14.950 --> 16:18.610]  We can go into each of these phases individually.
[16:20.570 --> 16:22.330]  Next slide, please.
[16:27.970 --> 16:29.170]  Okay.
[16:30.330 --> 16:35.990]  So, this is the very first phase of IRTO, which is Internal Red Team Operations.
[16:35.990 --> 16:42.350]  It's like building from the scratch. We need to get our budget approved.
[16:42.370 --> 16:46.250]  We really need to defend the practical goals and objectives.
[16:48.210 --> 16:57.950]  It's like you should ask yourself, why are we creating this team? What is the need of an Internal Red Team in my organization?
[16:57.950 --> 17:01.050]  Now, there should be a hard question.
[17:12.120 --> 17:17.290]  Each organization has its own different set of crown jewels.
[17:17.590 --> 17:20.850]  It is their sensitive data or assets.
[17:34.120 --> 17:37.880]  The crown jewels of our organization.
[17:37.880 --> 17:41.200]  Not only crown jewels, also people.
[17:41.200 --> 17:50.900]  For example, it is always about the critical assets or critical people within an organization.
[17:50.900 --> 18:03.060]  For example, if there is a company which is doing manufacturing, for them, it is their formula architects and all the stuff.
[18:03.060 --> 18:05.380]  They have to keep it very safe.
[18:05.380 --> 18:14.560]  So, considering that, each organization has its own valuable assets, its own data set, its own data centers.
[18:14.560 --> 18:19.080]  So, we need to identify the crown jewels of our organization.
[18:19.080 --> 18:26.500]  We need to create rules of engagement and we need to get assistance from the management and legal department.
[18:26.640 --> 18:33.900]  And more importantly, before moving forward, we need to understand the security posture of our organization.
[18:33.900 --> 18:41.760]  What are the security countermeasures or what are the security implementations which are there for an organization.
[18:41.760 --> 18:47.680]  So, that is very essential to understand before we move forward.
[18:48.080 --> 18:54.200]  And, like I mentioned, identify the crown jewels and people.
[18:54.200 --> 18:57.960]  There is one more thing. People are always important.
[18:57.960 --> 19:09.040]  For example, you know that there are many high-level executives out there, high-level management people are out there.
[19:09.080 --> 19:14.080]  They are always vulnerable to phishing attacks. I will tell you why.
[19:14.140 --> 19:20.320]  Usually, being technical people, we don't have the urge to open our email all the time.
[19:20.320 --> 19:30.100]  But, being business consultants or being business executives, they always have the kind of an issue to open and respond to their emails.
[19:30.500 --> 19:39.720]  So, they will always fall for a targeted phishing campaign. That is kind of the key thing here.
[19:39.860 --> 19:46.340]  So, along with the sensitive data, we also need to identify what are the key people to my organization.
[19:46.340 --> 19:52.960]  What if someone has compromised their personal account? What will happen to the organization?
[19:53.080 --> 20:07.660]  So, this can be a challenge for people who are looking to build their team.
[20:08.300 --> 20:10.380]  Moving on to the next slide.
[20:18.200 --> 20:20.160]  Next slide is here, right?
[20:20.160 --> 20:34.380]  Okay. How many of you know about this A-Team?
[20:34.980 --> 20:38.200]  Three? Four? Okay.
[20:38.200 --> 20:45.320]  So, recently in 2010 or 2012, there was a movie acted by Bradley Cooper.
[20:45.820 --> 20:49.440]  Okay. So, the A-Team.
[20:49.440 --> 20:51.520]  The team and skill set.
[20:56.450 --> 20:59.610]  This is how, for example, just consider the A-Team.
[20:59.610 --> 21:02.010]  This is how a team should be.
[21:02.150 --> 21:05.190]  Like, the team must be diverse.
[21:07.350 --> 21:10.450]  This is not an one-man job.
[21:10.850 --> 21:16.050]  They'll have to work together as a team or work solo sometimes.
[21:16.050 --> 21:21.230]  Also, they'll have to work under an excessive amount of pressure.
[21:21.770 --> 21:25.070]  They should be able to handle that pressure.
[21:25.070 --> 21:27.210]  It is really important.
[21:27.410 --> 21:31.090]  For example, we know that Colonel Hannibal, right?
[21:31.250 --> 21:34.490]  He's also the leader of A-Team.
[21:34.490 --> 21:37.170]  And sometimes, he's a solo player.
[21:40.910 --> 21:46.950]  And the A-Team, they're strong individually and stronger as a team.
[21:46.950 --> 21:49.630]  That is an important thing to have.
[21:49.630 --> 21:51.550]  You need to handle things personally.
[21:51.550 --> 21:53.990]  And you need to handle things alone.
[21:53.990 --> 21:56.490]  And you need to handle things as a team.
[21:56.490 --> 21:59.590]  That should be a skill set.
[22:02.070 --> 22:05.410]  So, the team should also contain non-technical people.
[22:05.410 --> 22:07.090]  We talked about technical people, right?
[22:07.090 --> 22:18.370]  We talked that in order to build a red team, we need highly technical people in different areas of attack simulation and offensive security operations.
[22:18.370 --> 22:23.450]  But along with that, the team should also contain non-technical people.
[22:24.410 --> 22:31.230]  So, how many of you here have ever created a phishing campaign against any kind of organization?
[22:34.410 --> 22:36.110]  Give me some hearts.
[22:36.110 --> 22:38.970]  How many of you have hosted a phishing campaign?
[22:39.370 --> 22:42.330]  Yeah, I am seeing a couple of hearts in there.
[22:42.330 --> 22:44.010]  So, let me ask you a question.
[22:44.010 --> 22:58.250]  So, usually, the technical guys in your team or very people-managed and friendly guys, who are usually writing the phishing emails?
[22:58.250 --> 23:04.470]  The technical guy or more friendly HR-like persons?
[23:04.690 --> 23:07.290]  Who is creating the phishing emails for you?
[23:08.210 --> 23:09.110]  Guys, you can...
[23:09.110 --> 23:11.230]  If it is you, then you can give me a heart.
[23:11.310 --> 23:13.990]  Otherwise, you can just give me a palm or something.
[23:16.890 --> 23:18.870]  I am not seeing anything.
[23:23.620 --> 23:26.080]  Okay, I can see a couple of guys.
[23:26.080 --> 23:31.700]  They are saying that they do write their own phishing campaign emails.
[23:31.700 --> 23:33.320]  So, I will tell you something.
[23:33.600 --> 23:41.540]  Just imagine, a hardcore technical guy is writing a phishing email to someone like a business executive.
[23:41.820 --> 23:47.040]  For example, if I am writing a phishing email, that will be more technical.
[23:47.040 --> 23:52.460]  There will be these technical jaggons and there will be a lot of technical ways.
[23:52.460 --> 23:54.020]  We don't want that, right?
[23:54.020 --> 24:05.820]  So, if there is a non-technical guy or a business guy or a human resources person in our team, we can ask them to write the phishing email for us.
[24:06.800 --> 24:08.000]  The meaning...
[24:08.000 --> 24:12.780]  They can connect with people compared to the technical guys.
[24:12.880 --> 24:15.540]  They are more friendly guys.
[24:15.540 --> 24:20.440]  They are more into human resources and they can connect with other people pretty easily.
[24:20.440 --> 24:22.860]  They speak a different language.
[24:22.860 --> 24:27.780]  So, it is always better to have non-technical people in our offensive team.
[24:27.780 --> 24:29.200]  It always helps.
[24:30.440 --> 24:32.360]  Could you please go to the next slide?
[24:41.640 --> 24:43.320]  Yeah, we have the next slide.
[24:44.080 --> 24:50.660]  So, this is the phase 2 of iHeartLaw, like internal team operations.
[24:54.660 --> 24:56.320]  So, a couple of points here.
[24:56.340 --> 24:58.520]  A couple of steps here.
[24:59.100 --> 25:00.500]  So, external infrastructure.
[25:00.500 --> 25:04.360]  It is always essential to mimic an adversary's actions.
[25:04.360 --> 25:07.360]  So, we need to build an external Red Team infrastructure.
[25:07.880 --> 25:14.400]  For the beginning, start with open source C tools, implants, frameworks, and other tools.
[25:14.460 --> 25:18.560]  We can modify it based on your requirements.
[25:19.300 --> 25:21.320]  Also, be friends.
[25:23.380 --> 25:25.300]  Okay, the third point.
[25:25.300 --> 25:28.420]  Identifying the business-specific risk.
[25:28.420 --> 25:36.700]  So, being in an internal Red Team is all about your organization and your organization's security posture,
[25:36.700 --> 25:40.020]  and deployed defense mechanisms, etc.
[25:40.020 --> 25:47.180]  So, it is a key point to identify the business-specific risk.
[25:47.180 --> 25:52.040]  It can vary based on the businesses and based on organizations.
[25:52.760 --> 25:55.460]  And the fourth point.
[25:56.000 --> 25:59.720]  Always be friends with the organization's Blue Team.
[25:59.720 --> 26:03.440]  If you have a Blue Team in your company, be friends with them.
[26:03.440 --> 26:07.660]  Just try to understand what they are doing in their daily lives.
[26:07.660 --> 26:13.460]  What are the tools and techniques which they are using for detecting the attackers.
[26:13.460 --> 26:25.360]  It is always good to be in a good relationship with your company's cyber defense system or cyber defense team.
[26:26.400 --> 26:33.600]  All of your organizational activities are there to make the Blue Team much stronger.
[26:33.600 --> 26:39.340]  So, it is very essential to have a good relationship with your cyber defense team.
[26:41.080 --> 26:42.360]  Okay.
[26:42.700 --> 26:46.060]  Also, don't take it personally.
[26:46.120 --> 26:50.680]  I just asked you to be friends with your organization's Blue Team.
[26:50.680 --> 26:54.640]  Once I tried to be friends with an organization's Blue Team,
[26:55.460 --> 26:59.680]  and in the end, she became my girlfriend.
[26:59.680 --> 27:01.280]  That's a long story.
[27:01.280 --> 27:03.700]  So, always don't try so hard.
[27:03.700 --> 27:08.240]  Just formally be friends with the Blue Team of your organization.
[27:08.240 --> 27:10.260]  Don't take it personally.
[27:10.480 --> 27:12.480]  Just a personal advice.
[27:17.580 --> 27:18.560]  Okay.
[27:18.560 --> 27:20.420]  Moving on to the next slide.
[27:21.920 --> 27:23.420]  Phase 3.
[27:26.200 --> 27:28.800]  Could you please go to the Phase 3 slide?
[27:28.800 --> 27:30.080]  Okay, Phase 3.
[27:32.220 --> 27:37.140]  Actually, this is where we begin to work in our plan.
[27:37.140 --> 27:40.620]  You can see, this is Phase 3 where we start working.
[27:40.620 --> 27:43.840]  So, we can use improved tools, techniques, and procedures.
[27:44.800 --> 27:48.400]  And we know about the current security mechanisms, right?
[27:48.400 --> 27:53.460]  We talked about current security mechanisms in Phase 1 and Phase 2.
[27:53.980 --> 27:58.500]  For example, the need of using improved TTPs.
[27:58.700 --> 28:04.920]  For example, what if your organization is not allowing PowerShell or any other scripts?
[28:05.520 --> 28:08.840]  That is where we need to improve our TTPs, right?
[28:08.840 --> 28:12.840]  Initially, we identified that the current organization,
[28:12.840 --> 28:16.860]  they do not allow PowerShell scripts or any other scripts, Wscripts, Cscripts, anything.
[28:16.860 --> 28:18.420]  They are not allowing anything.
[28:18.660 --> 28:26.220]  So, in that case, we need to make some changes in our techniques and improvise.
[28:26.320 --> 28:29.940]  We should find the next feasible option.
[28:30.660 --> 28:41.630]  For example, in this case, we can try running unmanaged PowerShell.
[28:41.650 --> 28:49.790]  Maybe the different systems, they are not considering unmanaged PowerShell executables as malicious.
[28:49.890 --> 28:54.950]  So, sometimes we can bypass the different mechanisms in there.
[29:01.940 --> 29:08.740]  From Phase 1 and 2, we had identified the Crown Jewels and Pupil.
[29:08.900 --> 29:11.540]  And the vulnerable path needs to be fixed.
[29:11.540 --> 29:19.620]  The vulnerable path which can lead the Crown Jewels into a breach.
[29:20.780 --> 29:25.100]  Also, the next point, evaluation of incident response process.
[29:25.100 --> 29:27.100]  This is also important.
[29:27.100 --> 29:31.760]  What is your organization's process once it's been compromised?
[29:31.860 --> 29:36.180]  How much time did it take to detect the incident and respond to it?
[29:36.180 --> 29:38.860]  That is also important, very much important.
[29:40.100 --> 29:48.800]  And using the output of the previous phases, we could really improvise and make a new RTO process documentation.
[29:48.940 --> 29:55.940]  There is a final point, we can learn from the previous phases.
[29:55.940 --> 30:01.080]  And what have we learned from the previous phases, we can improvise from that.
[30:01.080 --> 30:07.660]  And we can create a new operations manual or new operations process to move further.
[30:07.660 --> 30:10.860]  So, that is the end of Phase 3.
[30:13.040 --> 30:18.940]  Moving on to the next slide, Phase 4, IRTO Phase 4.
[30:20.420 --> 30:23.400]  We have the Phase 4 here.
[30:25.320 --> 30:31.960]  So, it's like, for example, collaborative and continuous Pupil team exercises.
[30:31.960 --> 30:41.760]  So, whatever tasks are being done by the red team, the end goal should be empowering the blue team, right?
[30:42.240 --> 30:48.960]  So, it's always better to organize a collaborative and continuous Pupil team exercises.
[30:48.960 --> 30:53.260]  Just join forces with the red teams and blue teams.
[30:53.700 --> 30:57.280]  Also, bring in more tooling capabilities.
[30:57.280 --> 31:05.740]  Many interesting platforms and tools are there, you know, we should empower the red teams and blue teams.
[31:06.400 --> 31:14.360]  Also, you can perform a targeted campaign, targeted and very specific campaigns against the crown jewels and key people.
[31:14.360 --> 31:16.600]  For example, business executives.
[31:28.210 --> 31:33.070]  You guys can still see my screen, right?
[31:33.090 --> 31:38.850]  Could you please give me some hearts if you can see the screens, I mean the slides?
[31:41.270 --> 31:43.830]  Okay, okay, okay. Awesome, awesome, awesome.
[31:44.670 --> 31:49.710]  Moving on to the next point, overt physical security assessment.
[31:49.710 --> 31:57.190]  We know that, you know, physical security assessment, they are a very big part of red teaming activities.
[31:57.190 --> 32:03.830]  So, we can, in phase three, phase four, we can start overt physical security assessment.
[32:03.830 --> 32:13.210]  We can identify the most important data centers, manufacturing plants, processing centers or anything based on your company's business.
[32:13.210 --> 32:19.390]  You know, it may differ, there may be, you know, different set of goals based on your company's portfolio.
[32:20.790 --> 32:26.690]  So, regarding the overt security assessment, you could just go to the premises,
[32:26.690 --> 32:35.330]  walk around the premises with the person in charge and perform your review in front of the, you know, in front of the reviewer as well.
[32:35.390 --> 32:41.190]  So, that is like, you are not breaking into anything. This is just overt physical security assessment.
[32:41.250 --> 32:44.870]  You are just going to the client side and you are just walking around.
[32:44.870 --> 32:49.930]  You are just trying to find as many as physical vulnerabilities in there and report them.
[32:49.930 --> 32:51.650]  It is as simple as that.
[32:54.050 --> 33:00.970]  So, you can, you know, as an example, you can refer the work of Devin Olam, you know, in YouTube.
[33:00.970 --> 33:07.130]  He is a legend. He is the very best guy out there regarding physical, you know, security assessments.
[33:07.130 --> 33:08.590]  He is really awesome.
[33:12.240 --> 33:16.100]  Also, continuous awareness program for employees and key people.
[33:16.100 --> 33:21.800]  Like, you know, after, for example, you have done a couple of phishing campaigns, fear phishing campaigns,
[33:21.800 --> 33:25.740]  you know, you did some bad ESP drop and everything.
[33:26.100 --> 33:31.980]  But from that, we need to share, we need to create a set of training series
[33:31.980 --> 33:38.960]  and we need to perform continuous awareness and training programs for employees and the top manager
[33:38.960 --> 33:45.080]  so that they can protect themselves from the future attacks of real adversaries.
[33:45.080 --> 33:46.880]  That is really important.
[33:49.100 --> 33:55.120]  Also, an operational tip, you know, when you go for a physical security assessment,
[33:55.120 --> 34:03.500]  do not show up with military apparel or a tactical bag along with a laptop which is full of hacking stickers.
[34:03.840 --> 34:08.680]  If you are going like this to the client side, you know, that raises a lot of eyebrows
[34:08.680 --> 34:12.320]  and that is going to be really funny. People will be looking at you all the time.
[34:12.320 --> 34:18.000]  Who is this guy, you know, wearing this tactical backpack and a laptop full of stickers?
[34:18.280 --> 34:21.680]  So that's kind of very, you know, attractive thing, right?
[34:21.680 --> 34:26.440]  So do not do that, even if you are doing a covert assessment or an overt assessment.
[34:26.440 --> 34:27.780]  It's pretty important.
[34:30.920 --> 34:37.960]  Going to the next slide, phase five, which is time to five.
[34:38.660 --> 34:43.800]  Okay, so this is the final phase of IRTO framework.
[34:45.020 --> 34:53.620]  By the time we reach phase five, we'll be having a kind of a matured team operations capabilities.
[34:55.060 --> 34:59.020]  It is the time to grow some wings and fly away, right?
[34:59.020 --> 35:06.000]  Not from the organization, but, you know, like capabilities wise, just, you know, fly away.
[35:06.920 --> 35:11.220]  This is the phase where we have a matured team operations capabilities.
[35:11.940 --> 35:20.800]  The main important thing would be by this time, you should have a significant improvement of organizational security posture.
[35:20.800 --> 35:24.440]  Because we have passed four different phases, right?
[35:24.440 --> 35:28.740]  We did many things, you know, from the phase one.
[35:28.740 --> 35:38.240]  So by the time we reach phase five, it is very important to have significant improvement of organizational security posture.
[35:38.440 --> 35:45.880]  So that is the clear proof of having a powerful and practical internal working.
[35:46.240 --> 35:50.180]  It is important for both systems and the key people.
[35:50.980 --> 35:57.320]  So you can also start, you know, covert physical security assessment, you know, instead of overt.
[35:57.320 --> 36:04.040]  You could just go to client sites without telling them you are an internal employee, you could do assessment.
[36:04.240 --> 36:06.060]  That will be very much fun.
[36:06.060 --> 36:20.140]  So also, by the time we reach phase five, we will have highly skilled operators and we will be having custom tools to create custom security patterns.
[36:21.540 --> 36:26.160]  Custom scripts and, you know, custom attack patterns.
[36:26.160 --> 36:30.620]  That is very important. That is very interesting capability to have.
[36:31.460 --> 36:37.820]  So also, continuous advisory simulation to keep the defendants on their toes.
[36:37.820 --> 36:43.640]  So by the time we reach phase five, we attend many things, right?
[36:43.640 --> 36:50.320]  And one of the things would be, one of the main thing would be having continuous advisory simulation.
[36:50.520 --> 36:55.640]  Just to make sure that everything is going very well with the organization.
[36:57.320 --> 37:02.080]  Finally, continuous routine operations with a very different process.
[37:02.180 --> 37:08.620]  As an end result, we also will be having a very different process to carry this task forward.
[37:08.620 --> 37:12.600]  You know, just repeat the process, make this as a cycle.
[37:12.920 --> 37:20.000]  You know, continuous routine operation will be like, you know, the actual results of, you know, reaching phase five.
[37:20.000 --> 37:21.700]  That is really important.
[37:21.700 --> 37:34.860]  So we can assume that by the time we reach the phase five, you know, there will be a lot of significant changes within our internal security posture.
[37:34.860 --> 37:37.900]  That is pretty important to have such a huge change.
[37:39.880 --> 37:42.880]  And moving on to the next slide.
[37:53.280 --> 37:59.820]  So the five phases which I have shown you, that is really customizable.
[37:59.820 --> 38:05.920]  Like, you know, you can change that to your own needs and you can add your own points.
[38:05.920 --> 38:14.200]  Even if you think that some of the points are misaligned in different phases, you can just modify the steps and you can make it your own.
[38:14.200 --> 38:15.500]  That is pretty simple.
[38:15.920 --> 38:26.720]  And coming back to the strategic and tactical plans, you can see, you know, there is a strategy plan, which is a total sum of a couple of tactical plans, right?
[38:26.720 --> 38:37.100]  So the strategy plans, they are focusing on long-term objectives, where the tactical plans focus on short-term engagements.
[38:37.100 --> 38:44.400]  So you can derive a couple of tactical plans and change them together, you know, just to reach the highest goal.
[38:44.400 --> 38:50.160]  For example, you are planning, you are creating a strategy plan for one year.
[38:50.300 --> 38:53.700]  So you can split that into three.
[38:53.700 --> 39:00.280]  So each tactical plan is having four months to attain a certain role, a certain goal.
[39:00.280 --> 39:08.680]  For example, earlier we mentioned, we need to identify the critical assets, key people and crown jewels, right?
[39:08.680 --> 39:17.840]  So for the tactical plan on, you can take that as an objective and you can start identifying the critical assets and people.
[39:17.840 --> 39:24.760]  Then you can try to, you know, perform adversarial simulation against those assets and people.
[39:24.760 --> 39:29.440]  Just to identify, you know, are they vulnerable to phishing campaigns? What are the results?
[39:29.440 --> 39:35.900]  And we got a couple of credentials from these people. What are the privileges for these credentials?
[39:36.020 --> 39:44.120]  So by the end of the tactical plan one, you will have a clear set of reports, you know, for your very first objective.
[39:44.120 --> 39:52.300]  So like that, we can, you know, change a couple of tactical plans to have a very long-term objective.
[39:52.600 --> 39:58.900]  You know, that is the end goal of creating this IRTO platform.
[39:58.900 --> 40:02.440]  You can create your own plans and both tactical and strategy.
[40:02.440 --> 40:06.380]  Our end goal should be, you know, attaining the long-term objective.
[40:10.110 --> 40:14.070]  Okay, cool. Could you go to the next slide, please?
[40:20.800 --> 40:34.460]  Okay, this is the final slide. If you guys have any questions related to, you know, the team like faces and maturity models, you know, please feel free to ask me.
[40:36.450 --> 40:42.290]  If you have any questions, you could just send some hearts and we can start talking.
[40:45.210 --> 40:46.410]  Anyone?
[40:48.690 --> 40:53.350]  Oh, okay.
[40:54.510 --> 41:01.390]  Okay, so all those who have questions, please give some heart reacts so that I can unmute you all.
[41:04.460 --> 41:06.600]  Actually, I can't hear you.
[41:06.600 --> 41:09.360]  Yeah, I can see and strike. Just a second.
[41:21.880 --> 41:25.760]  Could you please come near me? I can't hear you.
[41:30.970 --> 41:31.990]  Can you hear me?
[41:33.210 --> 41:35.170]  Yeah, tell me.
[41:36.170 --> 41:43.010]  So, do you model your adversarial campaigns off of APTs?
[41:44.710 --> 41:46.990]  Could you please come again?
[41:47.330 --> 41:52.530]  Do you model your adversarial campaigns off of APTs?
[41:53.830 --> 41:56.250]  Yeah, APT emulation, right?
[41:56.250 --> 41:57.330]  Yes.
[41:57.330 --> 42:02.610]  Yeah, we can, because I think I stated in one of my previous slides.
[42:03.370 --> 42:06.090]  That is in phase two, I think.
[42:06.430 --> 42:07.070]  Okay.
[42:07.070 --> 42:09.190]  This adversarial emulation.
[42:09.730 --> 42:18.890]  So, I mean, as a beginning in phase two, you can start doing emulation using, you know, Atomic Red Team or Caldera.
[42:18.890 --> 42:21.770]  Also, you can use Mitre framework.
[42:21.870 --> 42:25.190]  You know, there are a couple of APTs listed in there.
[42:25.190 --> 42:33.490]  You can, you know, check those APTs and start collecting their commands and you can execute them in your, you know, test environment.
[42:33.650 --> 42:39.550]  So, the end result would be, you can understand the detection capabilities of your Blue Team.
[42:39.550 --> 42:40.950]  That is really cool.
[42:40.950 --> 42:48.010]  Mitre is doing a wonderful job, you know, collecting all these emulation and, you know, simulation plans.
[42:48.830 --> 42:50.390]  Okay, cool. Thank you.
[42:50.730 --> 42:52.170]  Yeah, thank you.
[43:01.040 --> 43:04.320]  So, you could always reach me on...
[43:11.920 --> 43:14.260]  Is anyone asking any questions?
[43:15.460 --> 43:18.940]  Could you please raise your hands or, like, you know, give me some hearts?
[43:19.100 --> 43:20.540]  I'll come near you.
[43:25.680 --> 43:29.140]  Could you throw some hearts? I'll come to you.
[43:34.270 --> 43:35.190]  Okay.
[43:35.330 --> 43:39.650]  So, if there are no questions, you can always reach me on Discord.
[43:40.010 --> 43:42.110]  It is abh1474.
[43:42.110 --> 43:47.930]  Also, you can reach me on my Twitter account, which is abhijitbr.
[43:49.030 --> 43:49.510]  And...
[43:50.350 --> 43:52.810]  Could you guys please move to the next slide?
[43:59.270 --> 44:00.910]  Next slide, please. Okay.
[44:01.330 --> 44:07.270]  And, yeah, thank you, everyone. Thank you for being here. Thank you to attend my talk.
[44:07.330 --> 44:13.270]  Thanks a lot, everyone, for, you know, being in the virtual village hosted by DEF CON groups.
[44:13.350 --> 44:14.510]  Thanks a lot.
[44:14.510 --> 44:26.570]  Also, I would like to, you know, thank Jason Eastridge and DEF CON groups to give me this opportunity to stand here and take this presentation.
[44:26.850 --> 44:33.010]  Also, I would like to thank TX and his fabulous DEF CON group, Delphi.
[44:33.190 --> 44:36.030]  Also, DEF CON group Trivandrum, Mumbai.
[44:36.350 --> 44:38.190]  Thank you. Thank you, everyone.
[44:46.340 --> 44:48.920]  Okay, so...
[44:48.920 --> 44:49.640]  Okay.
